Gawker breach shows need for strong passwords

Published 12:00 am, Tuesday, December 14, 2010

Security experts warn not to use the same password for all your online log-ins. If one account is compromised, knowing that single password can give cyberscum potential access to all your accounts.

On Monday, we had a real-world proof of that concept.

Over the weekend, Gawker Media — the blogging network that includes such popular sites as Gawker, Gizmodo, Jezebel, Kotaku, DeadSpin and Lifehacker — said its computers had been breached and its account database stolen. What this means is that if you have ever registered to comment on a Gawker site, your credentials are at risk.

Gawker says the passwords in its database were encrypted, but if you used a simple password, then it's possible that a “brute force” attack — in which a computer programmed is used to randomly guess the password — could reveal it.

The database's content, along with other sensitive information grabbed from Gawker's servers, has been posted to the Net for anyone to download. A group calling itself Gnosis has claimed responsibility for the breach and the posting of the file.

As first reported by the online news site The Next Web, a 500-megabyte file also contained passwords and private chat conversations from Gawker Media's top staff, including founder Nick Denton.

Clearly, if you've ever commented on any Gawker site, it's time to change your password there, posthaste. (Note that the attack does not affect those who use Facebook Connect to sign in — those passwords aren't stored at Gawker.) Indeed, if you've got an easily guessed password, you probably should change your credentials at every site on the Web where you use that password.

On Monday morning, hackers who'd gotten access to the Gawker database began looking to see if the login credentials could be applied at other sites. They apparently found a gold mine at Twitter, the popular microblogging service.

Twitter became flooded with tweets from apparently compromised accounts touting the weight-loss capabilities of acai berries. The tweets contained links to what may or may not be malware-infected websites. While this looked like the kind of spammy software worm that typically hits social media sites, it actually appeared to be coming from accounts that have been hacked.

Del Harvey, who heads up Twitter's Trust and Safety Team, said via her own Twitter account the acai tweets were related to the surfacing of Gawker's database.

If you're not sure whether you have a Gawker commenting account, just click the Login link at the top of any of page on those sites. Click the Forgot Password? and then enter your e-mail address. If you've used your e-mail address on the site, you'll be sent instructions for resetting the password. If you have not ever signed up, you'll be told your e-mail address isn't in Gawker's database.

The trick to preventing this is to make sure you use a different, strong password that isn't easy to guess at each site you visit on the Web. Remembering a lot of different passwords is not easy, but there are software tools that can help.

By the way, Gnosis — the group claiming responsibility for the Gawker attack — allegedly explained itself in an e-mail to Mediaite, a site that covers other media. The group's members apparently thought Gawker got a little uppity in a recent feud with Anonymous, an online vigilante group that operates out of a collection of image and discussion forums known as 4chan.

“I mean if you say things like that, and attack sites like 4chan (Which we are not affiliated to) you must at least have the means to back yourself up. We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two. Our groups mission? We don't have one.”

Yeah, it all sounds like some kind of digital food fight in a virtual high school cafeteria. Unfortunately, in all this silliness, your life online could be collateral damage.